Doug and Peter,
This is basically the same question as Damker's post which I have responded
to here -
http://www.wireshark.org/lists/wireshark-users/201007/msg00108.html
Unfortunately each -e field only matches a single instance. You are better
off parsing the PDML output, that outputs all of the fields by iterating
through the field. I have created a perl one-liner that can do this:-
tshark.exe -T pdml -r "MCNew.cap" | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'
Output is:
1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,
Note that it seems (with this protocol) that as there seems to be a variable
number of same field and some are option (for instance the second opc/dpc
set doesn't have a matching transactionId), I would include the field name
in the output so:
tshark.exe -T pdml -r "MCNew.cap" | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,
Regards, Martin
Regards, Martin
[email protected]
On Mon, Jul 12, 2010 at 10:42 PM, Douglas Wood <[email protected]> wrote:
> I have created a modified version of Wireshark in which I produce tab
> delimited files that actually aggregates multiple instances of particular
> fields. In fact, the output can become way too voluminous, but, it is much
> faster to process these tab delimited files than the PDML output.
> Especially when there are 100,000's of packets.
>
> I will attest that the aggregation of multiple instances of a field is
> pretty tricky. I wouldn't mind working with somebody else to try to
> generalize what I have done.
>
> Doug
>
>
>
> Peter Gordon wrote:
> > tshark can be used to display fields using the -T option.
> > If the same field occurs a number of times within a protocol,
> > only one value ( the last ) gets displayed.
> >
> > As far as I can see the error looks like it comes from the
> > routine proto_tree_write_fields.
> >
> > The -T pdml option gives the correct output, but is too voluminous.
> >
> > Can anyone help with a fix?
>
> There's at least one bug for that:
>
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3818
>
> It was discussed quite a bit at Sharkfest this year too--there seemed to
> be quite a bit of interest in finding a way to fix it. (But: as
> evidenced by the fact that there is so much interest and it hasn't been
> done yet, it's non-trivial to implement.)
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <[email protected]>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:[email protected]?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <[email protected]>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:[email protected]?subject=unsubscribe
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
